A while ago, created a new repository on GitHub for the scripts I wrote for DFIR. Since then, it only had the Computer Ping script in it. Today I added the first of the Extractor scripts.
The first extractor script, xHttpExtractor.py came about from a web based tool I used. It would run on a file uploaded to it, and then list a bunch of indicators, system artifacts, url calls outs, network communication, etc. However the tool didn’t have a good export mechanism at the time. So I would copy and paste everything to a text file, and then extract the url host details from the text files. Mainly so I could add the URL indicators to the web proxy.
xHttpExtractor.py script extracts IP addresses and domains from the host section of URI, for http and https pages. It will pull the data if it is fanged or defanged, as long as it has http or https, and a / after the host section. (there will be an update with hxxt and hxxtps, just need to write and test that part, maybe I’ll do meow and meows too).
It uses regex searching in python 3 to look for anything between the last slash in http(s):// and the / after the host info.
A co-worker / friend asked one day if I had anything that could extract URLs / domains from a text file. He had the output from TekDefense’s Automater, but it was a pain to go through by hand. I tossed xHE to him, and all was good.
I finally got around to re-writing it. While it’s not modular, I guess I could make it so, I did clean up an un-needed portion of the script.
The next extractor script will be domain names and ip addresses in a file. When I get around to thinking about it and writing it.